June 20, 2018

June 19, 2018

Subscribe to Latest Legal News and Analysis

June 18, 2018

Subscribe to Latest Legal News and Analysis

OCIE Issues New Cybersecurity Risk

Two weeks ago, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its newest guidance on the subject of cybersecurity in the form of a new National Exam Program (NEP) Risk Alert, issued Sept. 15. In addition to the matters discussed below, the Risk Alert contains links to several earlier Commission and OCIE materials, including to the March 2014 SEC Cybersecurity roundtable, past NEP cybersecurity-related releases, and the 2015 SEC examination priorities.

With the purpose of “[providing] additional information on the areas of focus for OCIE’s second round of cybersecurity examinations” and in addition to informing industry participants that testing and assessing the implementation of cybersecurity procedures and controls will characterize the next phase of exams, the Risk Alert identifies six key areas of focus for OCIE: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. The Risk Alert also provides a sample document request, which regulated entities may use in assessing their cybersecurity programs.

A firm’s cybersecurity program, by its nature, requires ongoing review and evaluation, and OCIE and its exam staff expects senior management and boards of directors to be involved. The release of the OCIE Risk Alert provides firms with a good opportunity to reevaluate their current cybersecurity program – the six identified areas of focus highlight crucial elements of any cybersecurity program, while the sample document request provides a roadmap to the steps, processes, and documents that a regulated firm should consider in the implementation and maintenance of its cybersecurity program.

©2018 Greenberg Traurig, LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Richard Cutshall, Greenberg Traurig Law Firm, Chicago, Corporate, Finance and Real Estate Law Attorney
Shareholder

Richard M. Cutshall has experience representing clients in a variety of investment management, corporate, and general securities matters, including the representation of mutual funds and other funds registered under the Investment Company Act of 1940, fund independent directors, unregistered investment companies, federally registered and state registered investment advisers, broker-dealers, and an array of public and private companies. 

Rich represents clients in all aspects of investment company practice, including organizing and forming new...

312-476-5121